The Compliance Risk of Social Media

The guidelines recently issued by the FFIEC on risk management and the use of social media for financial institutions only scratches the surface of this burgeoning issue.

Last week, the FFIEC released proposed risk management guidelines for financial institutions using social media. The guidelines did not delve too much into specifics, offering more of a broad outline of the potential risk and compliance issues that can arise in the burgeoning social media channel.

"Financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing," reads a portion of the FFIEC paper. "Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions."

The FFIEC continues, "A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing."

The FFIEC cautioned banks that there are several areas of risk when engaging customers in social media. For example, if a bank uses social media to market products or originate new accounts, it must make sure all its communications are in accordance with laws such as the Truth in Savings Act, Truth in Lending Act, and Section 5 of the Federal Trade Commission (FTC) Act. which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

These are but a few of the myriad of risk concerns banks must take into account when engaging in social media.

Matt Putvinski, director of Wolf & Company's IT Assurance Services group, says the guidelines "are a good first step" and expects to see more robust guidance offered by the FFIEC when it publishes its final version of the report after receiving feedback from financial institutions.

"I did like the fact that the paper talked about the inventory of social media channels and looked at the risk indicative in each one," he adds. "There is some differences in the way you use Facebook as opposed to Twitter."

Ultimately, Putvinski believes the bets way for financial institutions to mitigate risk related to social media is to have a clearly stated social media policy and to educate employees on the proper use of social media.

"Some might want to block access to social media sites from computers within the institution, but that can't stop someone from going on their phone and accessing them," he says. "At the end of day it is a matter of education in this area, the best thing you can do is tell people the best practices and most people will follow them."

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio

I agree with Bryan -- the social media compliance officer type of position has evolved in other industries. But even elsewhere, say pharmaceuticals, for example, the guidelines released by governing bodies are just as broad as the FFIEC proposed guidelines seem to be, so these new social compliance officers will have to rely on innovation and best practices and a strong understanding of the Truth in Savings Act and other laws to navigate this growing area of concern.

How serious do you think financial services firms are taking this? The guidelines don't seem to amount to much more than "be careful" and "don't violate existing government regulations." I wonder if, like with most other things, institutions will only be forced to take action after something bad happens, or laws are passed with more than just guidelines (likely BECAUSE something bad happens).

This is quite interesting. Do you think risk management for social media will become a new field of specialization within financial services? But the notion of banning FS employees from accessing social media on their mobile phones, seems to contradict the point of social media.